diff -crB auth-ldap-2.0.3/auth-ldap.conf auth-ldap-2.0.3-patched/auth-ldap.conf
*** auth-ldap-2.0.3/auth-ldap.conf	2007-01-22 12:50:42.000000000 -0600
--- auth-ldap-2.0.3-patched/auth-ldap.conf	2010-06-29 10:58:40.916276380 -0500
***************
*** 47,52 ****
--- 47,55 ----
  	#PFTable	ips_vpn_users
  
  	<Group>
+ 		# Match full user DN if true, uid only if false
+         	RFC2307bis	true
+ 
  		BaseDN		"ou=Groups,dc=example,dc=com"
  		SearchFilter	"(|(cn=developers)(cn=artists))"
  		MemberAttribute	uniqueMember
diff -crB auth-ldap-2.0.3/src/LFAuthLDAPConfig.m auth-ldap-2.0.3-patched/src/LFAuthLDAPConfig.m
*** auth-ldap-2.0.3/src/LFAuthLDAPConfig.m	2007-01-22 12:50:42.000000000 -0600
--- auth-ldap-2.0.3-patched/src/LFAuthLDAPConfig.m	2010-06-29 10:58:40.916276380 -0500
***************
*** 79,84 ****
--- 79,85 ----
  
  	/* Group Section Variables */
  	LF_GROUP_MEMBER_ATTRIBUTE,	/* Group Membership Attribute */
+ 	LF_GROUP_MEMBER_RFC2307BIS,	/* Look for full DN for user in attribute */
  
  	/* Misc Shared */
  	LF_UNKNOWN_OPCODE,		/* Unknown Opcode */
***************
*** 146,151 ****
--- 147,153 ----
  static OpcodeTable GroupSectionVariables[] = {
  	/* name			opcode			multi	required */
  	{ "MemberAttribute",	LF_GROUP_MEMBER_ATTRIBUTE, NO,	NO },
+ 	{ "RFC2307bis",		LF_GROUP_MEMBER_RFC2307BIS, NO,	NO },
  	{ NULL, 0 }
  };
  
***************
*** 696,707 ****
--- 698,719 ----
  
  			switch(opcodeEntry->opcode) {
  				TRLDAPGroupConfig *config;
+ 				BOOL memberRFC2307BIS;
  
  				case LF_GROUP_MEMBER_ATTRIBUTE:
  					config = [self currentSectionContext];
  					[config setMemberAttribute: [value string]];
  					break;
  
+ 				case LF_GROUP_MEMBER_RFC2307BIS:
+ 					config = [self currentSectionContext];
+ 					if (![value boolValue: &memberRFC2307BIS]) {
+ 						[self errorBoolValue: value];
+ 						return;
+ 					}
+ 					[config setMemberRFC2307BIS: memberRFC2307BIS];
+ 					break;
+ 
  				case LF_LDAP_BASEDN:
  					config = [self currentSectionContext];
  					[config setBaseDN: [value string]];
diff -crB auth-ldap-2.0.3/src/LFLDAPConnection.h auth-ldap-2.0.3-patched/src/LFLDAPConnection.h
*** auth-ldap-2.0.3/src/LFLDAPConnection.h	2007-01-22 12:50:42.000000000 -0600
--- auth-ldap-2.0.3-patched/src/LFLDAPConnection.h	2010-06-29 10:58:40.920285882 -0500
***************
*** 56,61 ****
--- 56,62 ----
  			baseDN: (LFString *) base
  		    attributes: (TRArray *) attributes;
  - (BOOL) compareDN: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value;
+ - (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value;
  
  - (BOOL) setReferralEnabled: (BOOL) enabled;
  - (BOOL) setTLSCACertFile: (LFString *) fileName;
diff -crB auth-ldap-2.0.3/src/LFLDAPConnection.m auth-ldap-2.0.3-patched/src/LFLDAPConnection.m
*** auth-ldap-2.0.3/src/LFLDAPConnection.m	2007-03-22 15:09:51.000000000 -0500
--- auth-ldap-2.0.3-patched/src/LFLDAPConnection.m	2010-06-29 10:58:40.920285882 -0500
***************
*** 405,410 ****
--- 405,454 ----
  	return NO;
  }
  
+ - (BOOL) compare: (LFString *) dn withAttribute: (LFString *) attribute value: (LFString *) value {
+ 	struct timeval	timeout;
+ 	LDAPMessage	*res;
+ 	struct berval	bval;
+ 	int		err;
+ 	int		msgid;
+ 
+ 	/* Set up the ber structure for our value */
+ 	bval.bv_val = (char *) [value cString];
+ 	bval.bv_len = [value length] - 1; /* Length includes NULL terminator */
+ 
+ 	/* Set up the timeout */
+ 	timeout.tv_sec = _timeout;
+ 	timeout.tv_usec = 0;
+ 
+ 	/* Perform the compare */
+ 	if ((err = ldap_compare_ext(ldapConn, [dn cString], [attribute cString], &bval, NULL, NULL, &msgid)) != LDAP_SUCCESS) {
+ 		[TRLog debug: "LDAP compare failed: %d: %s", err, ldap_err2string(err)];
+ 		return NO;
+ 	}
+ 
+ 	/* Wait for the result */
+ 	if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
+ 		err = ldap_get_errno(ldapConn);
+ 		if (err == LDAP_TIMEOUT)
+ 			ldap_abandon_ext(ldapConn, msgid, NULL, NULL);
+ 
+ 		[TRLog debug: "ldap_compare_ext failed: %s", ldap_err2string(err)];
+ 		return NO;
+ 	}
+ 
+ 	/* Check the result */
+ 	if (ldap_parse_result(ldapConn, res, &err, NULL, NULL, NULL, NULL, 1) != LDAP_SUCCESS) {
+ 		/* Parsing failed */
+ 		return NO;
+ 	}
+ 	if (err == LDAP_COMPARE_TRUE)
+ 		return YES;
+ 	else
+ 		return NO;
+ 
+ 	return NO;
+ }
+ 
  
  - (BOOL) _setLDAPOption: (int) opt value: (const char *) value connection: (LDAP *) ldapConn {
  	int err;
diff -crB auth-ldap-2.0.3/src/TRLDAPEntry.h auth-ldap-2.0.3-patched/src/TRLDAPEntry.h
*** auth-ldap-2.0.3/src/TRLDAPEntry.h	2006-07-25 18:55:47.000000000 -0500
--- auth-ldap-2.0.3-patched/src/TRLDAPEntry.h	2010-06-29 10:58:40.920285882 -0500
***************
*** 40,50 ****
--- 40,53 ----
  
  @interface TRLDAPEntry : TRObject {
  	LFString *_dn;
+ 	LFString *_rdn;
  	TRHash *_attributes;
  }
  
  - (id) initWithDN: (LFString *) dn attributes: (TRHash *) attributes;
  - (LFString *) dn;
+ - (LFString *) rdn;
+ - (void) setRDN: (LFString *) rdn;
  - (TRHash *) attributes;
  
  @end
diff -crB auth-ldap-2.0.3/src/TRLDAPEntry.m auth-ldap-2.0.3-patched/src/TRLDAPEntry.m
*** auth-ldap-2.0.3/src/TRLDAPEntry.m	2006-07-25 18:55:47.000000000 -0500
--- auth-ldap-2.0.3-patched/src/TRLDAPEntry.m	2010-06-29 10:58:40.920285882 -0500
***************
*** 42,47 ****
--- 42,48 ----
  		return self;
  
  	_dn = [dn retain];
+ 	_rdn = nil;
  	_attributes = [attributes retain];
  
  	return self;
***************
*** 49,54 ****
--- 50,56 ----
  
  - (void) dealloc {
  	[_dn release];
+ 	[_rdn release];
  	[_attributes release];
  	[super dealloc];
  }
***************
*** 57,62 ****
--- 59,72 ----
  	return _dn;
  }
  
+ - (LFString *) rdn {
+ 	return _rdn;
+ }
+ 
+ - (void) setRDN: (LFString *) rdn {
+ 	_rdn=rdn;
+ }
+ 
  - (TRHash *) attributes {
  	return _attributes;
  }
diff -crB auth-ldap-2.0.3/src/TRLDAPGroupConfig.h auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.h
*** auth-ldap-2.0.3/src/TRLDAPGroupConfig.h	2006-07-30 15:19:54.000000000 -0500
--- auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.h	2010-06-29 10:58:40.920285882 -0500
***************
*** 42,47 ****
--- 42,48 ----
  	LFString *_baseDN;
  	LFString *_searchFilter;
  	LFString *_memberAttribute;
+ 	BOOL	 _memberRFC2307BIS;
  	LFString *_pfTable;
  }
  
***************
*** 54,59 ****
--- 55,63 ----
  - (LFString *) memberAttribute;
  - (void) setMemberAttribute: (LFString *) memberAttribute;
  
+ - (BOOL) memberRFC2307BIS;
+ - (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS;
+ 
  - (LFString *) pfTable;
  - (void) setPFTable: (LFString *) tableName;
  
diff -crB auth-ldap-2.0.3/src/TRLDAPGroupConfig.m auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.m
*** auth-ldap-2.0.3/src/TRLDAPGroupConfig.m	2006-07-30 15:19:54.000000000 -0500
--- auth-ldap-2.0.3-patched/src/TRLDAPGroupConfig.m	2010-06-29 10:58:40.920285882 -0500
***************
*** 81,86 ****
--- 81,94 ----
  	_memberAttribute = [memberAttribute retain];
  }
  
+ - (BOOL) memberRFC2307BIS {
+ 	return (_memberRFC2307BIS);
+ }
+ 
+ - (void) setMemberRFC2307BIS: (BOOL) memberRFC2307BIS {
+ 	_memberRFC2307BIS = memberRFC2307BIS;
+ }
+ 
  - (void) setPFTable: (LFString *) tableName {
  	if (_pfTable)
  		[_pfTable release];
diff -crB auth-ldap-2.0.3/src/auth-ldap.m auth-ldap-2.0.3-patched/src/auth-ldap.m
*** auth-ldap-2.0.3/src/auth-ldap.m	2007-01-22 12:50:42.000000000 -0600
--- auth-ldap-2.0.3-patched/src/auth-ldap.m	2010-06-29 11:02:14.680387830 -0500
***************
*** 307,320 ****
  			goto error;
  	}
  
- 	/* Bind if requested */
- 	if ([config bindDN]) {
- 		if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) {
- 			[TRLog error: "Unable to bind as %s", [[config bindDN] cString]];
- 			goto error;
- 		}
- 	}
- 
          /* Certificate file */
  	if ((value = [config tlsCACertFile])) 
  		if (![ldap setTLSCACertFile: value])
--- 307,312 ----
***************
*** 340,345 ****
--- 332,345 ----
  		if (![ldap startTLS])
  			goto error;
  
+ 	/* Bind if requested */
+ 	if ([config bindDN]) {
+ 		if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) {
+ 			[TRLog error: "Unable to bind as %s", [[config bindDN] cString]];
+ 			goto error;
+ 		}
+ 	}
+ 
  	return ldap;
  
  error:
***************
*** 409,414 ****
--- 409,415 ----
  	TREnumerator *entryIter;
  	TRLDAPEntry *entry;
  	TRLDAPGroupConfig *result = nil;
+ 	int userNameLength;
  
  	/*
  	 * Groups are loaded into the array in the order that they are listed
***************
*** 426,440 ****
  		/* Error occured, all stop */
  		if (!ldapEntries)
  			break;
! 
! 		/* Iterate over the returned entries */
! 		entryIter = [ldapEntries objectEnumerator];
! 		while ((entry = [entryIter nextObject]) != nil) {
! 			if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) {
! 				/* Group match! */
! 				result = groupConfig;
  			}
  		}
  		[entryIter release];
  		[ldapEntries release];
  		if (result)
--- 427,453 ----
  		/* Error occured, all stop */
  		if (!ldapEntries)
  			break;
! 		if ([groupConfig memberRFC2307BIS]) {
! 			/* Iterate over the returned entries */
! 			entryIter = [ldapEntries objectEnumerator];
! 
! 			while ((entry = [entryIter nextObject]) != nil) {
! 				if ([ldap compareDN: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser dn]]) {
! 					/* Group match! */
! 					result = groupConfig;
! 				}
! 			}
! 		} else {
! 			/* Iterate over the returned entries */
! 			entryIter = [ldapEntries objectEnumerator];
! 			while ((entry = [entryIter nextObject]) != nil) {
! 				if ([ldap compare: [entry dn] withAttribute: [groupConfig memberAttribute] value: [ldapUser rdn]]) {
! 					/* Group match! */
! 					result = groupConfig;
! 				}
  			}
  		}
+ 		
  		[entryIter release];
  		[ldapEntries release];
  		if (result)
***************
*** 551,556 ****
--- 564,570 ----
  	int ret = OPENVPN_PLUGIN_FUNC_ERROR;
  
  	username = get_env("username", envp);
+ 	LFString *userName=[[LFString alloc]initWithCString: username];
  	password = get_env("password", envp);
  	remoteAddress = get_env("ifconfig_pool_remote_ip", envp);
  
***************
*** 568,573 ****
--- 582,588 ----
  
  	/* Find the user record */
  	ldapUser = find_ldap_user(ldap, ctx->config, username);
+ 	[ldapUser setRDN: userName];
  	if (!ldapUser) {
  		/* No such user. */
  		[TRLog warning: "LDAP user \"%s\" was not found.", username];
